Yamila Levalle
Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive Security Professional with more than 15 years of experience in Infosec.

Over the years, she has discovered vulnerabilities in various applications and systems.

Yamila currently works as Security Researcher in ElevenPaths (Telefonica Cibersecurity Unit) where she specializes in offensive/defensive techniques, conducts researches, publishes articles on different information security issues and develop security tools in Python.

She is an international security conference speaker and has presented her research at important events such as OWASP Latam Tour, Infosec UTN and Notpinkcon. She has also taught ethical hacking courses for women, CTF courses for beginners and several information security awareness and training courses and talks.

Compromising Enterprise Networks from their own SIEM
Technical Level (3 being the highest score): 2

SIEMs are defensive tools increasingly used in information security, especially in large companies and regulated companies to monitor critical networks and devices. However, from the point of view of the attacker, the permissions that the SIEMs have on the devices and accounts of a corporate network are very broad, and administrative access to a SIEM can be used to obtain code execution in the server where the SIEM is installed, and in some cases in the "client" equipment of which the SIEM collects the events such as Active Directory servers, Databases and network devices like Firewalls and Routers.

During our investigation, we detected many attack vectors that could be used in different SIEMs to compromise them, such as:

• Obtaining the user accounts and passwords of critical equipment stored in the SIEM (corporate servers, databases, network devices, generally accounts with administrative permissions)
• Developing and installing malicious applications such as a web shell or a reverse shell to compromise the server where the SIEM is installed, or send malicious applications to compromise the devices from which the SIEM collects the events
• Performing a brute force attack on the SIEM web interface
• Reading arbitrary files from the server where the SIEM is installed
• Using log events as intelligence source

Based on the results of this research, we developed an open source tool in Python: SIEMs Framework that allows to automate the mentioned attacks, both in commercial and open source SIEMs, needing only the IP address of the SIEM to attack in order to be used.

In our talk we will see the SIEMs from the point of view of the attacker, in a practical way performing live demonstrations of attacks to SIEMs from different vendors, and also in a theorical way, analyzing their security weaknesses and attack vectors that can be used to take control of those servers and the critical devices of the corporate network from which they collect events.

The purpose of the talk is to demonstrate to the participants how the SIEMs can be used as offensive tools, the attack vectors of the different commercial and open source SIEMs and the use of the SIEMs Framework tool, to be able to perform the aforementioned attacks, without needing to know the infrastructure, configuration details or protocols used by the SIEMs to attack.